evoteam team mailing list archive

Thread
Date

[Bug 557399] Re: Only display comments for items a user is allowed to view

To: evoteam@xxxxxxxxxxxxxxxxxxx
From: Tilman Blumenbach <t.blumenbach@xxxxxxxxx>
Date: Sat, 10 Apr 2010 19:19:56 -0000
Reply-to: Bug 557399 <557399@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I cannot reproduce this bug in QP, the SQL queries currently used
properly restrict the result set (by calling statuses_where_clause()).
The file inc/comments/model/_commentquery.class.php does not exist in QP
-- I see it has been added to b2evo just recently and apparently has
introduced this vulnerability into the code base.

Anyway, QP is not affected by this bug.

** Visibility changed to: Public

** Changed in: quam-plures
    Milestone: 0.0.0 => None

** Changed in: quam-plures
       Status: New => Invalid

-- 
Only display comments for items a user is allowed to view
https://bugs.launchpad.net/bugs/557399
You received this bug notification because you are a member of Evoteam,
which is a direct subscriber.

Status in b2evolution: Fix Committed
Status in Quam Plures, as many as possible: Invalid

Bug description:
Please make sure to get this fix into QP:
http://bazaar.launchpad.net/~vcs-imports/b2evolution/trunk/revision/8590

It prevents comments popping up in "Latest comments" for e.g. private or protected items!!

References

[Bug 557399] [NEW] Only display comments for items a user is allowed to view
From: Daniel Hahler, 2010-04-07